Thu 19 May 2011

Filed under Sec.

Tags IPsec Lamer Moments Security

Practical Troubleshooting

I love pfSense. So far it's superior to every Linux-based routing appliance. No product is perfect, but the 2.0 release is very promising. I have been troubleshooting tunnels which inexplicably do not work. I have been recieving the following error during phase1 connection:

racoon: ERROR: couldn't find configuration

This usually means a significant mismatch exists in phase1 negotiations. Despite my meticulous efforts the tunnels would not start. I watched the IPsec logs hopelessly, trying many different things. What finally worked was connecting to the console, killing racoon and starting it manually as follows:

racoon -d -v -F -f /var/etc/racoon.conf

By monitoring the output, I discovered during debugging that the packets were coming from the wrong source IP address. One of my sites has multiple WAN links, and racoon was using the wrong source address for IPsec negotiation. The phase1 arrival was clearly logged and rejected - because it didn't match any existing configuration.

Once complete, I was quickly able to determine what to do. However, if you don't have access to a host behind the pfSense firewall then you may have problems creating IPsec tunnels. I used this to force a packet:

My firewall's LAN address, which is part of the IPsec local subnet scope, is 192.168.0.1. The remote network is 10.1.1.0/24. I need to create a single packet from 192.168.0.1 to something in 10.1.1.x.

ping -S 192.168.0.1 -c 1 10.1.1.3

What could be better.

Feedback for improvement would begin with one admonition: Don't trust the log output of Racoon. I should have used TCP-dump on both ends, watching for packets setting up sessions.

[2.0-RC1][root@gateway.site-a.com]/root(1): tcpdump -ni re0 port 500
16:39:07.697695 IP 192.168.81.126.500 > 10.1.101.217.500: isakmp: phase 2/others I inf[E]
16:40:26.980944 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:36.982740 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:46.983927 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:56.985122 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:41:06.986307 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg

Had I done this at both ends, I would have clearly seen that the wrong interface was emitting packets. *Both* ends. That was my mistake. I trusted logs at Site-A, and I never verified my problem at Site-B. Hours of painstaking troubleshooting for no good reason.

Work Around

My current imperfect workaround is to add the following line to each of my remote sites crontab:

# cat crontab|grep newsys
*       *       *       *       *       root    /sbin/ping -S 192.168.0.1 -c 10.1.1.1

Obviously I turfed this above, I just thought I would share it with everyone. This has the net effect of a 60 second tunnel keep alive. May not be appropriate for some environments. Good luck.

Comment

Fri 04 January 2008

Filed under Sec.

Tags Cool Security

If you have to work in networks with any Windows products, coupled with MSDE or SQL Express you will eventually run into memory consumption problems. Apparently no GUI interface deals with it. I have seen numerous complaints on the Internet for sqlservr.exe consuming loads of memory. Some psychos recommend ...

Read More

Wed 19 December 2007

Filed under Sec.

Tags Cool Python

Everyone needs a decent IP port forwarder, once in a while. Here are three great ones:

  • Thread-based, this is my most frequently used.

  • Async-Core - recently used when the threaded model wouldn't forward an ssh session (???)

  • Pinhole - another threaded implementation.

The Async-core version is clearly the hottest. It runs as ...

Read More

Fri 12 October 2007

Filed under Sec.

Tags Geek Lamer Moments

There are a number of articles on removing Symantec AntiVirus silently. There is a link to thread on avoiding MSI uninstall reboots. There are good suggestions and some bad. Mostly it's simple. Cleaning up SAV w/o a prompt, password, or user-required action is a little non-trivial.

Someone else ...

Read More

Tue 28 August 2007

Filed under Sec.

Tags Cool Geek

I found a neat recipe for forwarding TCP ports under python. It's so short and succinct that I had to post about it. Also, I may never find it again.

ASPN Recipe

Read More

Sat 24 February 2007

Filed under Sec.

Since the days waned on IMR, I have begun recreating my open source lore. Most of my coolest articles are gone, but here is where I have begun to rebuild.

Read More

Wed 26 July 2006

Filed under Sec.

Tags Lamer Moments Security

My own private war is with my habits. So often when testing web services, I will setup a name in /etc/hosts allowing a quick and dirty approach to debugging, test, or whatever.

I use kerberos and this is a problem, considering that I added this:

198.145.247.218 ...

Read More

Thu 22 June 2006

Filed under Sec.

Tags IPsec Security

Cisco VPN concentrators are a regular occurrence in the field. They can be the bane of your life. However, there is one simple change to enable these to consistently work with multiple policy routed subnets.

In your /etc/ipsec.conf use set the policy level to 'unique' instead of 'require ...

Read More

Thu 02 February 2006

Filed under Sec.

Tags Cool Security

Shorewall is a firewall administration package for Linux. I use it heavily. It isn't the easiest, nor does it have a GUI front end. However, it is fairly easy to setup complex firewalling with not a lot of work. It is also easy to setup for simple configurations.


  • One-interface ...
Read More

Fri 13 January 2006

Filed under Sec.

I have been trying to find a coordinated way to deal with lots of bad traffic, across multiple hosts, and at length across multiple sites. There are so many ssh sweepers out there, so many mail-spam bots, etc. We have an evolving method of dealing with Spammers, but even that ...

Read More

Fri 30 December 2005

Filed under Sec.

I wrote a little howto for the guys at work on setting up Kerberos. Anyone interested can see what I did here

Read More

Fri 23 December 2005

Filed under Sec.

Tags IPsec Lamer Moments

I think that IPsec tunnels are cool. COOL. Managing them SUCKS. I have been through the ringer this week. Three Ciscos, one Linux box, four Watchguards, two Netopias, a dash of Netgear switches, a 3com switch, several T-1s and two ISP. If you can say that ten times real fast ...

Read More

Sat 17 December 2005

Filed under Sec.

Tags Retarded

Security, or the process of attempting to protect computers is an imprecise science at best. How do you secure SSH?

  • Keybased Authentication

    • Strength: Difficult to break
    • Weakness: Carrying Keys Around
  • Kerberos

    • Strength: Less passwords
    • Strength: Can be used instead of passwords for many services.
    • Weakness: You can catch auth-sessions, then ...
Read More

Fri 16 December 2005

Filed under Sec.

Tags Cool IPsec

Shorewall firewall is the nicest/most complete firewall I have used. Back in the day I rolled my own. However, as ipfwadm became ipchains and that too passed into iptables I became aware of a basic fact: Firewalling's needs and habits change too fast for my brain to handle ...

Read More

Thu 15 December 2005

Filed under Sec.

Tags IPsec Lamer Moments

TCPMSS - AKA Maximum Segment Size - an extremely important TCP value in it's own right. It determines how large the data block in any tcp packet is. When your dealing with IPsec VPNs, this value, and not as much the MTU decides your success or failure.

When dealing with Encrypted ...

Read More

Up To Something © Joshua M Schmidlkofer Powered by Pelican and Twitter Bootstrap. Icons by Font Awesome and Font Awesome More